You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Somehow my computer got infected with a bunch of spyware and now I can't get it to completely go away. I had 180Solutions, Bulleseye, Your Site bar...a bunch of stuff like that but I think I was able to get rid of some of those. Now when I log on to Windows Microsoft Antispyware is telling me that p2pnetworking.exe is trying to gain access or something I'm not sure. If anyone could look at this log and please tell me what I could do to clean it up, I know there is a lot of stuff going on. Thanks!

Welcome to the BleepingComputer forum. We are currently studying your log and will have instructions for you shortly. Thank you for your patience.

You don't stop laughing when you get old; you get old when you stop laughing.A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)Malware Removal University Masters GraduateJoin The Fight Against MalwareNo reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

Thanks, it seems to be getting worse with time. I've tried everything I can think of. I started having problems with spyware about a week ago, I run Adaware, Spybot and Microsoft AntiSpyware but it does nothing. I've even gotten into the registry and tried to clean up things but it always comes back. It rebuilds itself everytime I uninstall and run spyware scans. I spent four hours yesterday cleaning up spyware and restarted the computer and bam it's all back plus some. It seems to grow and download more programs every day. I don't know what to do anymore, maybe someone can help. Another thing thats strange, a C:\Uploads folder was created and there were over 5600 zipped programs files in it, where the heck does that come from?

Please download and install Ewido Security Suite v3.5If Ewido finds something that you KNOW is legitimate (watch for alerts that have the word "Heuristic" in them - these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being.

When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK.

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click Update.

Then click on "Start Update".

The update will begin and a progress bar will show the updates being installed. If you are having problems with the updater, use Update Ewido

After the update finishes, the status bar at the bottom will display "Update successful"

After the updates are installed do the following:

Click on Scanner and select "Settings"

Under the bottom section "What to Scan?" select "Scan every file"

Select "OK" and you will return to scanning options

Click on "Complete System Scan" [This can take a while to complete so please be patient]

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then UNCHECK "Perform action on all infections" and click "OK". Note: You will have to watch the scan all the way through and delete items manually

After the scan has completed, Ewido will create a report.

There will be a button located on the bottom of the screen named "Save report". Click "Save report" [to your desktop] and post it in your next response.

Exit Ewido Security Suite when done. Ewido offers a FREE 14 day full working trial. After the 14 day trial the only option that will be disabled is the "real-time" scanning which we did not install anyway.

When you have completed the scans, if you get a report of files that canít be cleaned / deleted, please write down the filenames and locations and post that in your reply.Please post a new HiJackThis Log.

You don't stop laughing when you get old; you get old when you stop laughing.A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)Malware Removal University Masters GraduateJoin The Fight Against MalwareNo reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

After reviewing your log, I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can hide malware from us when we are performing a fix so we would like you to reenable those startup entries by doing the following:

Please click on Start, then Run, and type msconfig and then press Enter. When the window opens, you should be on the General tab. Click on the Normal Startup item. Then press ok until you are out of the program. It will ask you to reboot. Reboot in normal mode.

Please post a new Hijackthis Log and any report of files that canít be cleaned / deleted (with their filenames and locations) from the scans and post it here as a reply.

Edited by suebaby41, 16 September 2005 - 03:22 PM.

You don't stop laughing when you get old; you get old when you stop laughing.A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)Malware Removal University Masters GraduateJoin The Fight Against MalwareNo reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

Thanks, I'm working on those things right now. It seems though that when I run the Panda scan it finds things and when it starts to clean them it gets hung up on the Istsvc.exe. I'll post back when I get the scan completed and have a new log. Thanks again for your help.

The removal tool may terminate Internet Explorer and Windows Explorer. It is recommended that users save their work and log out of these programs before running the removal tool.* The removal tool will not delete some harmless Temporary Internet files, which Adware.Istbar created, in C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files. These can be manually deleted using the following steps:

Start Internet Explorer.

Click Tools > Internet Options.

In the Temporary Internet Files section, then click the Delete Files button.

Check Delete all offline content, and then click OK.

The Removal tool will not reset any changes made to settings in Internet Explorer. To restore default settings in Internet Explorer it is necessary to perform the following actions:

Click Start > Settings > Control Panel

Select Internet Options

Select the Programs tab

Click Reset Web Settings

Click OK

Exit Control Panel

You don't stop laughing when you get old; you get old when you stop laughing.A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)Malware Removal University Masters GraduateJoin The Fight Against MalwareNo reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

A Firewall is an essential part of computer security and you do not appear to have one running on your system. It is important that you have a firewall in addition to the Windows SP2 firewall. There are a few available for free that have excellent reputations:Zone ALarm Free FirewallKerio Free Firewall

To help prevent further infection, please download SpywareBlaster which will

Add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Restrict the actions of potentially unwanted sites in Internet Explorer.

SpywareBlaster can help keep your system spyware-free and secure, without interfering with the "good side" of the web.

And unlike other programs, SpywareBlaster does not have to remain running in the background.

You have a lot of infections. It is very important that you follow this direction:

After reviewing your log, I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can hide malware from us when we are performing a fix so we would like you to reenable those startup entries by doing the following:

Please click on Start, then Run, and type msconfig and then press Enter. When the window opens you should be on the General tab. Click on the Normal Startup item. Then press ok until you are out of the program. It will ask you to reboot. Reboot in normal mode.

Please post a new HiJackThis log.

Edited by suebaby41, 18 September 2005 - 03:46 PM.

You don't stop laughing when you get old; you get old when you stop laughing.A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)Malware Removal University Masters GraduateJoin The Fight Against MalwareNo reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

Finally, Right-click on the MSAS tray icon, select "Shutdown Microsoft Antispyware", and click "Yes" in the dialog that comes up.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Step 2

Please download CleanUp! CleanUp! is a powerful and easy-to-use application that removes temporary files created while surfing the web, empties the Recycle Bin, deletes files from your temporary folders and more. Open CleanUp, click on Options. Make sure that the following are checked:

Empty Recycle Bins

Delete cookies

Delete Prefetch files

Scan local drives for temporary files

CleanUp! All Users

The others are optional. Do not run it yet.*IMPORTANT NOTE*CleanUp deletes EVERYTHING out of your temp/temporary folders; it does not make backups.If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp.

Reboot to safe mode. If you donít know how to boot in safe mode, there is a tutorial HERE .

Step 5

Run Ewido in safe mode. Do not do anything else on your computer while Ewido is scanning.

Step 6

Report any files that canít be cleaned / deleted (with their filenames and locations) from the scans and post it here as a reply.

Step 7

You may want to print out this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) Do not worry if they are not there:

ISTsvc

ISTbar

Web Offer

ezula

Use 'ctrl' + 'alt' + 'del' (Three keys together) to get task manager. Find these processes and 'end task' them.OR]Use the process viewer in Hijackthis, Open the Misc Tools Section then Open Process Manager, find these programs and ďkill processĒ the following running processes (Do not worry if they are not there)

pmpbkgil.exe

lkivnl.exe

nsvsvc.exe

vidctrl.exe

vrlt.exe

kpnbd.exe

wupco.exe

kfacle.exe

qhadxmky.exe

wffgn.exe

q1mcqjfi.exe

mmod.exe

wo.exe

services32.exe

services.exe

The entries below could have been set by malware, but they can also be set by a network admin if you are on a work computer or by a protection program like Spybo. If you are not aware of either of these being true, it would be a good idea to fix these:

IMPORTANT:<<Make sure you only delete the Windows file under Common Files. DO NOT DELETE C:\WINDOWS or C:\ProgramFiles\WindowNT

Step 8

Reboot to normal mode.

Step 9

Letís run Cleanup to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 10

Please run HijackThis in normal mode and post a fresh log so I can make sure that all the malware was deleted according to plan.

Edited by suebaby41, 18 September 2005 - 08:15 PM.

You don't stop laughing when you get old; you get old when you stop laughing.A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)Malware Removal University Masters GraduateJoin The Fight Against MalwareNo reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

I've deleted the files I could find and ran the scans you wanted. There were some other folders and processes with random letter names, but I left them alone, I didn't know if they were bad or not. The computer seems to be doing a lot better than before. Thank you so much. Here is the new HJT log:

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter.

This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Note : Once the PC has restarted, if a log does not appear or the icons didn't disappear, run the "second.bat" located inside the L2mfix folder.

You don't stop laughing when you get old; you get old when you stop laughing.A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)Malware Removal University Masters GraduateJoin The Fight Against MalwareNo reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

**********************************************************************************HKEY ROOT CLASSIDS:**********************************************************************************Files Found are not all bad files:**********************************************************************************Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is E0C9-114E